Quote:
Originally Posted by vishalrao  Interesting stuff, I'm assuming you've read pages like this -> Certificate Autoenrollment in Windows Server 2003
I'm *guessing* (no experience) the CAs need to be online and contactable for things like CRL (Cert Revocation List) checking and simply updating your installed certs? Try disabling Certificate Revocation List (CRL) checking and see if that stops it... Turn CRL checking on or off |
Shukria for the URL,s provided .... herez the fetched info
Autoenrollment always performs a revocation check of the entire certificate chain starting with the issuing certification authority to ensure that the CA offering enrollment services is not revoked before performing enrollment.
If the CA is revoked, autoenrollment will not send requests to that certification authority. However, autoenrollment will ignore revocation errors
if a CDP (CRL Distribution Point) extension does not exist in the CA certificate or if the revocation status is offline.
Now how to do the above marked in Bold chars ...
Following process helped to identify the kaput ...
Autoenrollment Failures
Autoenrollment will warn the user with a warning dialog box when an autoenrollment failure occurs. This feature is only enabled when user interaction is required on the certificate template.
To enable the warning feature for an autoenrollment failure
1. Open the specified template in the Certificate Templates MMC snap-in.
2. Click the Request Handling tab.
3. Click Prompt the user during enrollment on the Request Handling tab of the certificate template properties.
here is error screenshot ...
Now this means that the Certificate that interCA enrolled to issuingCA had CRL defined on it ... with the time when to check for an updation of the CRL ... new clients who try to autoenroll check CRL list of entire tree ... is this same appliciable for DeltaCRL ... now how to get the clients not to check CRL CDP ... via GPO,s ... ?